Someone explain how a pin sentry works please....

The Pin Sentries will lock the cards "chip and pin" after 3 failed attempts (like it does in the store readers), requiring you to then go to the cash machine (I'm not sure if it has to be one run by your bank/card company), to reset it.

Most/all chip and pin cards have at least two counters in them, one for failed attempts at C&P type machines, which can be reset at a cash point, and another that does it for cash points and I think requires you to ring the bank so they can tell their cash machines to reset it.

Also I suspect the bank would lock an account that had too many securecode/pin sentry numbers entered incorrectly.
 
Monserrat said:
I've not heard of this calculator approach with online banking before. Which banks implement this?
Click to expand...

Barclays have for several years, and way back in about 2003/4 Bacrclaycard tried something similar before the Securecode/Verified by Visa passcode was used.
 
chimaera said:
Yeah it uses an algorithm that's unique to each device, the same algorithm is stored in their authentication server and so should come up with the identical result when you hit go.

Usually the number is valid for 30-60 seconds to take into account the time it takes to copy the number from the device to the screen and hit the necessary buttons.

This is why everyone freaked when the RSA server got hacked a few months ago, it potentially gave away the key for every device.
Click to expand...

So if this is true, how when I go to a Barclays bank and they ask me to verify my pin on their own Pin Sentry does it work ok? when mines at home.
 
What's stopping a malicious user from recording the 8 digits and reusing them at a later date? The algorithm can't possibly spit out different digits EVERY TIME. Does the banking server record the digits used and stores them away so they cannot be reused?
 
stulid said:
So if this is true, how when I go to a Barclays bank and they ask me to verify my pin on their own Pin Sentry does it work ok? when mines at home.
Click to expand...

I don't think they are unique. When I am at my parents' and want to check my account, I use my mum's or brother's pin sentry perfectly fine. I also know my mum uses my brother's sometimes.

Otherwise, I ahve also wondered about this. Great piece of technology, however it works. I'm quite happy it remaining a mystery, despite always wanting to know how things work. There's not enough mystery these days...
 
stulid said:
So if this is true, how when I go to a Barclays bank and they ask me to verify my pin on their own Pin Sentry does it work ok? when mines at home.
Click to expand...

IIRC the main part of the code is actually on the Chip in the Chip and Pin card, it's why if you were an early user you had to have a new card, whilst later users would have most likely had cards compatible with it as part of the normal replacement programme (and deliberately so, it makes it much easier to admin that way).

The card reader has a secondary part of it that will work with any compatible card, in theory different banks can use the same readers, same sort of thing as the card reader in a C&P machine will work with any C&P card.

The last few times I've pooped into the bank to withdraw cash they've had me enter my pin on one of the pinsentry cards.
 
I believe that every card has a number of 8 digit codes saved into the cards chip, perhaps 30 or so. When the pin is entered correctly into the device it randomly allocates one of the said combination numbers.

Ill ask for you tommorow hehe :)
 
stulid said:
So if this is true, how when I go to a Barclays bank and they ask me to verify my pin on their own Pin Sentry does it work ok? when mines at home.
Click to expand...

OTP tokens use time and a unique serial to seed the crypto functions, your pin sentry replaces the serial with your card (I assume when you enter the right pin your C+P card sends the pin sentry a standardised message).

Hence a OTP token (like RSA ones or the paypal key) relies on you having that token and your pin sentry relies on you having that card.

It won't work with somebody elses card, but it will with somebody elses pin sentry.
 
4Play said:
I believe that every card has a number of 8 digit codes saved into the cards chip, perhaps 30 or so. When the pin is entered correctly into the device it randomly allocates one of the said combination numbers.

Ill ask for you tommorow hehe :)
Click to expand...

That suggests you can reuse codes and that almost certainly isn't how it works. These are used to prevent people infected with key loggers from being the victims of theft. If a malicious can log their username/password then they can log their 8-digits, making the whole scheme useless.

After exams I'm going to look into how these *actually* work and I'll update if people are interested.
 
Werewolf said:
IIRC the main part of the code is actually on the Chip in the Chip and Pin card, it's why if you were an early user you had to have a new card, whilst later users would have most likely had cards compatible with it as part of the normal replacement programme (and deliberately so, it makes it much easier to admin that way).

The card reader has a secondary part of it that will work with any compatible card, in theory different banks can use the same readers, same sort of thing as the card reader in a C&P machine will work with any C&P card.

The last few times I've pooped into the bank to withdraw cash they've had me enter my pin on one of the pinsentry cards.
Click to expand...

Telescopi said:
OTP tokens use time and a unique serial to seed the crypto functions, your pin sentry replaces the serial with your card (I assume when you enter the right pin your C+P card sends the pin sentry a standardised message).

Hence a OTP token (like RSA ones or the paypal key) relies on you having that token and your pin sentry relies on you having that card.

It won't work with somebody elses card, but it will with somebody elses pin sentry.
Click to expand...

Something just flew over my head, not sure what it was, it was too high to see.
 
make up a unique code, one only you know.

Add the date to the end

md5 it (e.g. http://www.miraclesalad.com/webtools/md5.php)

the md5 is now your password, but it will only work today, tomorrow the date will be different and a different md5 will be generated. If the other end knows your unique code they will know your md5 is right, they will also know it is wrong if somebody tried to use the same one tomorrow.

Replace md5 for a stronger encryption method and replace date for minute and you're just about there.
 
Being a Barclays employee this thread has made me grin quite widley :D

I once convinced someone they did actually work on radio waves :) Which is totally untrue.

The question regarding the devices in branch and at home..... it does not matter which device you use or where, they are all programmed with the same algorithm. In fact, you can use any banks reader with any other banks card (although the technology was developed by Barclays), so if your partner banks with NatWest and you cant find your card reader, you can use thiers.

It is very, very, very clever and indeed links your card number (and amounts and account numbers for making payments) to the time and date you request the code to generate your authentication code to repeat back to the system, which runs the same calculation, all of course having been verified you are in possesion of your card having used your pin number to generate the code. This is why you need to input the last 4 digits of your card when you log in, so that it can match your username to your bank record and then from your record it can tell which card you are using.


We use it in branch simply to identify you - just like using chip and pin. We use the response code to "log in" to your account, just like you use it to log in to online banking - exactly the same theory.
 
You must log in or register to reply here.
Back
Top Bottom